|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 29, 2024 20:15 UTC (Fri) by bkw1a (subscriber, #4101)
In reply to: A backdoor in xz by cjwatson
Parent article: A backdoor in xz

Every time a patch pulls in a new dependency, it increases our attack surface. That needs to be weighed against the benefit of the patch. For something like sshd, it seems like the openssh developers, who have security as their primary focus, should be the ones we trust to make that decision.

to post comments

A backdoor in xz

Posted Mar 29, 2024 20:23 UTC (Fri) by cjwatson (subscriber, #7322) [Link] (2 responses)

I mean, look, I defer to the openssh developers on a _lot_ of stuff, but they're not the ones trying to integrate with the rest of our distribution and that does sometimes force some different decisions. The best I can do is document all the deviations as clearly as possible.

A backdoor in xz

Posted Mar 29, 2024 22:02 UTC (Fri) by dilinger (subscriber, #2867) [Link] (1 responses)

Also, what *is* "critical security infrastructure"? Is firefox/chromium critical security infrastructure? Is glibc? libz? libsasl? libselinux? Systemd does a whole lot of critical things on my system; is that critical security infrastructure that we shouldn't be patching?

On a lot of desktops, sshd isn't even installed. Is it critical security infrastructure because it's installed on some servers you consider important? What about the other daemons installed on important servers, like nginx/apache (and often the whole lamp stack)?

If you actually look at attack vectors, you start realizing pretty quickly that A LOT of software could (or should) be considered critical security infrastructure, and it's pretty unrealistic to not have to patch all of those bits of software to work on Debian's many desktop/server environments and hardware architectures. That also assumes that we can trust upstreams to not backdoor their code, which, as this example shows us, we clearly cannot.

A backdoor in xz

Posted Apr 3, 2024 5:44 UTC (Wed) by Lennie (subscriber, #49641) [Link]

The funny part is: any software installed becomes critical security infrastructure if a FOSS developer develops the software on his primary laptop which holds the SSH-keys used for git commits singing and git push.

A backdoor in xz

Posted Mar 29, 2024 23:58 UTC (Fri) by mcatanzaro (subscriber, #93033) [Link]

Sounds good, but in this case I think that's just wrong. You really want systemd to accurately know whether sshd is running or not. If systemd doesn't know, then you don't know, and that's a security disaster.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds